Researchers from the Singapore University of Technology and Design have introduced Sni5Gect, an innovative framework capable of intercepting and altering 5G network communications in real-time. This development presents significant security challenges for mobile devices globally. Unlike traditional methods that rely on deploying rogue base stations—a process that is both costly and easily detectable—Sni5Gect operates as a passive observer. It monitors legitimate 5G traffic and injects malicious messages at precise moments without the need for complex infrastructure.
Exploiting the Pre-Authentication Window
Sni5Gect targets the critical pre-authentication phase that occurs when devices connect to 5G networks. This vulnerable period is common during scenarios such as exiting airplane mode, emerging from tunnels, or leaving elevators. During this brief window, control-plane messages between the base station (gNB) and user equipment (UE) remain unencrypted. This lack of encryption allows attackers to eavesdrop and manipulate protocol flows without needing device credentials. The attack model emulates a partial Dolev-Yao adversary, capable of eavesdropping, injecting, replaying, or modifying messages in downlink communications.
Technical Performance and Components
The Sni5Gect framework has demonstrated impressive technical performance across multiple attack vectors. Testing on five commercial 5G devices—including OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro—revealed over 80% accuracy in both uplink and downlink traffic sniffing. Downlink-only monitoring achieved over 95% success rates. The system successfully injected malicious payloads with 70-90% success rates at distances up to 20 meters using standard software-defined radio (SDR) equipment.
The framework comprises several sophisticated components working in concert:
– Syncher: Aligns with target 5G cells and maintains synchronization.
– Broadcast Worker: Extracts system information and monitors for new device connections.
– UETracker Instances: Follow individual devices through dedicated sniffers.
– GNB DL Injector: Crafts and transmits spoofed messages that perfectly mimic legitimate base station communications.
Attack Categories and Real-World Impact
Researchers successfully demonstrated three primary attack categories using Sni5Gect:
1. One-Shot Attacks: Injecting single malicious messages that immediately crash devices or downgrade connections from 5G to less secure 4G networks.
2. Response-Based Attacks: Injecting messages and waiting for specific device responses, enabling techniques like SUCI catching for device fingerprinting and tracking.
3. Multi-Stage Downgrade Attacks: Manipulating the T3520 timer within devices by injecting replayed Authentication Request messages containing invalid sequence numbers. This forces devices to blacklist legitimate 5G base stations and permanently fall back to 4G connectivity, even after extended waiting periods. The GSM Association has acknowledged this vulnerability under coordinated disclosure identifier CVD-2024-0096.
Building Upon Previous Research
This research builds upon previous 5G vulnerability discoveries, including the 5Ghoul attacks that affected over 700 smartphone models from 24 brands. However, Sni5Gect’s ability to operate without rogue infrastructure makes it significantly more practical for real-world deployment. The attack hardware costs only a few thousand dollars and can be made portable, raising concerns about potential misuse.
Open-Source Availability and Security Implications
The framework’s open-source availability through GitHub provides security researchers and network defenders with unprecedented capabilities for testing 5G infrastructure resilience. However, the researchers have responsibly withheld “other serious exploits” from public release while making the core framework available for legitimate security research.
This development underscores the ongoing security challenges facing 5G networks as they become increasingly critical infrastructure. While manufacturers like Qualcomm and MediaTek have released patches for known vulnerabilities, the emergence of new attack vectors like those enabled by Sni5Gect highlights the need for continued vigilance in 5G security research and development.
The research team emphasizes that Sni5Gect serves as both an offensive security tool and a defensive testing framework, enabling organizations to evaluate the real-world security posture of their 5G deployments against sophisticated over-the-air attacks that bypass traditional security assumptions.
